Account Fraud Prevention

Introduction

The report is based on the assessment of data about bot threats and account takeover / fake account creation in the digital ecosystem and investigates the possibility of creating the system perfectly balanced between user satisfaction and account takeover / fake account creation protection.

Problem magnitude

The digital commerce ecosystem has been a leading field of human economic activity for quite some time now with a staggering number of new businesses appearing every day.

Whereas the potential benefits of online business are evident, the problems of security and customer satisfaction are creating a state in which digital fraud has more ways to thrive than we can possibly imagine.

The economic incentives of fraudulent activity are a topic of another discussion, but it is safe to say that we now find ourselves in an environment infested with fraudsters on a truly terrifying scale. Reports show that around 90% of websites with login pages suffered attacks connected with credential cracking and staffing and 80% of websites were victims of activities aimed at the creation of new fake accounts.

Importance of account protection

Digital ecosystem trends clearly show a shift in the attitude of most businesses with 72% of companies indicating the improvement of customer satisfaction as their top priority. Companies that fail to deliver satisfactory user experience disappear and those that successfully cope with the task spend billions to improve the user experience.

With new ways to create customer value and satisfaction comes an increase in digital fraud and types of abuse, among which fake account creation and account takeover are, without a doubt, taking leading positions.

These types of fraud are especially dangerous because they significantly damage the user experience. No one is too keen to get locked out of their account or receive tons of spam messages. These are the most obvious examples of how account fraud ruins UX and eventually businesses, but there is a myriad more ways it can harm you.

The password as a way to protect your account has long ceased to be a reliable security measure with reports indicating around 80% people reusing their passwords among different profiles and recent credential spill reports indicating 3B credentials being stolen in 2016 alone. This has led companies to come up with various additional fraud prevention techniques.

Fraud Prevention Techniques

Modern fraud prevention techniques provide a staggering number of methods to fight digital account fraud, varying all the way from blocking users after unsuccessful password entry to using authentication methods like captchas, security questions, etc.

Most common fraud-signup prevention techniques include:

1

Captcha;

2

Mobile Number verification;

3

Social Login;

4

Honey Pot;

Most common account-takeover prevention techniques include:

1

Account block after a number of failed logins;

2

IP address block after a number of failed attempts;

3

Cookies and browser fingerprinting;

4

Step up authentication, secret questions, etc.;

While most of the techniques described above show great results with specific types of fraud, they all show weaknesses to specific fraud types or create difficulties for legitimate quality users.

User Experience vs Security

The main issue that any business faces in the era of customer centricity is maintaining excellent user experience while providing the highest possible level of security. Opening new digital channels and simplifying necessary procedures have created a state in which users do not have to waste time on lengthy purchases or subscriptions. On the other end, however, companies find themselves vulnerable to the ever-increasing fraud threat.

Most fraud prevention techniques are treated as a necessary evil rather than a remedy for the fraud problem. CAPTCHAS are used by companies whose websites are constantly targeted by scrapers and other bot types, although it can cost them up to 3% decrease in conversions due to captchas being burdensome for many users.

The solution we at FraudHunt are working on is aimed at creating a state in which every individual user will be evaluated and additional checks and verifications will be established for potentially dangerous users only. This will ensure as small an impact of security measures on quality customers as possible, increasing trust in the product at the same time providing security measures that will effectively battle a majority of fraud threats before they actually reach your user zone.

FraudHunt Solution

FraudHunt is best described as multifunctional user evaluation system. Our scripts gather massive amounts of information about every user and enable a deep control over the quality of your traffic. Complex analytics and machine learning modules allow precise scoring and detection of all modern fraud techniques. In addition to providing a quality score for each user, FraudHunt enables detailed reporting on each individual case that allows not only effective fraud prevention but also a possibility to really know each of your visitors.

Each user is assigned a unique resistant key. It ensures that even if a certain user changes device parameters, we will still know to whom the device belongs.

We segment traffic based on a number of triggers. The triggers themselves are designed to detect potentially dangerous users in all digital ecosystem. The combination of triggers in any specific field, however, may vary, so it is up to every individual case to determine the sequence of triggers topical for the case.

Here you can see a ratio diagram for the most common triggers for all users across all of our websites. Some of the triggers are considered to be always fraudulent, like emulation presented on the pie chart, users with it are in most cases fraudsters or bot systems.

Some triggers, however, are actually much more common for real quality users:

Ad Blockers are among most popular extensions / plugins for real human users, they allow users to prevent page elements, such as advertisements, from being displayed. The trigger itself is used for deep user analysis and, in some cases and setups, to detect various kinds of fraud.

Do Not Track option instructs the browser not to keep track of the user by telling every website you visit, their advertisers, and content providers that you don’t want your browsing behavior tracked. Although some exceptions exist in certain setups the trigger is much more common with real human visitors.

The trigger ratio for specifically fraudulent traffic reflects the change in ratio between the triggers, with the most dangerous triggers taking the lead.

Bots, Emulations, and User Agent Changes are considered to be the most dangerous triggers:

Fraudsters may use virtual machines to create appropriate environments, for example one emulates iOS on Linux platform and installs a legitimate Safari browser or, in case of some bot farms, they emulate an appropriate environment on the server side.

Up to 60% of your traffic can be coming from individual bots or bot networks. They are successfully mimicking human behavior and mask their real identity to perform a wide range of fraudulent activities.

FraudHunt Value

The main value in the proposed solution lies in the ability to deeply segment your website users and block bots and fraudsters without burdening your quality users with unnecessary security checks.

Our API allows you to store information about every user. Saving an email + FPkey combination for every user or FPkey + any identifier you use will ensure you have a database of FPkeys for every user stored on your server. This will enable detection of the same user across all platforms he or she uses.

FraudHunt Script Integration

The core of the system itself is comprised of a single line JS, that is integrated on your website.

The time the scripts needs depends on such factors like user location, user device, user agent, etc. In around 3 seconds after a user visits your page all necessary information about him or her will be present in our database and ready for the API call.

The script is to be integrated on the following pages:

1

The landing page (optional);

2

The registration page;

3

The welcome page;

Triple layer integration ensures that the script will extract all the necessary information irrespective of the time user spends on any given page and will ensure that any potential fraudster will be checked even in case of successfully bypassing the initial block page.

Click here to find the full description of the FraudHunt Script integration.

FraudHunt API integration

The access to the API is given to any user upon approve from FraudHunt team. The API call is initiated the moment any given user clicks on the Register button on your website or at any other time you find necessary.

The API response depends solely on your preferences and has a number of options available, depending on your preferences and types of threats your website faces.

Click here to find the full description of the API integration and API options available.

Fraud Filtering

Using this model enables a flexible authentication procedure. For example, you can initiate different additional checks for different types of triggers (captchas for bots, user agent changes, and emulations, phone number verification for proxy services, etc.) as well as send users for manual reviews depending on any given factors.

Conclusion

Every website owner faces a challenge of maintaining excellent customer relations while keeping fraudsters at bay. FraudHunt Account Fraud Prevention offers a holistic approach in the field of fraud elimination. Our solution allows deep analysis of every visitor and gives you the power to make life easier for quality users and unbearable for fraudsters and malicious bots.